The NSF/NIH Effect: Surveying the Effect of Data Management Requirements on Faculty, Sponsored Programs, and Institutional Repositories

The scholarly communication landscape is rapidly changing and nowhere is this more evident than in the field of data management. Mandates by major funding agencies, further expanded by executive order and pending legislation in 2013, require many research grant applicants to provide data management plans for preserving and making their research data openly available. However, do faculty researchers have the requisite skill sets and are their institutions providing the necessary infrastructure to comply with these mandates? To answer these questions, three groups were surveyed in 2012: research and teaching faculty, sponsored programs office staff, and institutional repository librarians. Survey results indicate that while faculty desire to share their data, they often lack the skills to do this effectively. Similarly, while repository managers and sponsored programs offices often provide the necessary infrastructure and knowledge, these resources are not being promoted effectively to faculty. The study offers important insights about services academic libraries can provide to support faculty in their data management efforts: providing tools for sharing research data; assisting with describing, finding, or accessing research data; providing information on copyright and ownership issues associated with data sets; and assisting with writing data management plans

Organizational practices as antecedents of the information security management performance

ABSTRACT: Purpose The purpose of this paper is to expand current knowledge about the security organizational practices and analyze its effects on the information security management performance. Design/methodology/approach Based on the literature review, the authors propose a research model together with hypotheses. The survey questionnaires were developed to collect data, which then validated the measurement model. The authors collected 111 responses from CEOs at manufacturing small- and medium-sized enterprises (SMEs) that had already implemented security policies. The hypothesized relationships were tested using the structural equation model approach with EQS 6.1 software. Findings Results validate that information security knowledge sharing, information security education and information security visibility, as well as security organizational practices, have a positive effect on the information security management performance. Research limitations/implications The consideration of organizational aspects of information security should be taken into account by academics, practitioners and policymakers in SMEs. Besides, the work helps validate novel constructs used in recent research (information security knowledge sharing and information security visibility). Practical implications The authors extend previous works by analyzing how security organizational practices affect the performance of information security. The results suggest that an improved performance of information security in the industrial SMEs requires innovative practices to foster knowledge sharing among employees. Originality/value The literature recognizes the need to develop empirical research on information security focused on SMEs. Besides the need to identify organizational practices that improve information security, this paper empirically investigates SMEs' organizational practices in the security of information and analyzes its effects on the performance of information security

Employee and Organization Security Value Alignment Through Value Sensitive Security Policy Design

Every member of the organization must be involved in proactively and consistently preventing data loss. Implementing a culture of security has proven to be a reliable method of enfranchising employees to embrace security behavior. However, it takes more than education and awareness of policies and directives to effect a culture of security. Research into organizational culture has shown that programs to promote organizational culture - and thus security behavior - are most successful when the organization\u27s values are congruent with employee values. What has not been clear is how to integrate the security values of the organization and its employees in a manner that promotes security culture. This study extended current research related to values and security culture by applying Value Sensitive Design (VSD) methodology to the design of an end user security policy. Through VSD, employee and organizational security values were defined and integrated into the policy. In so doing, the study introduced the concept of value sensitive security policy (VSP) and identified a method for using VSPs to promote a culture of security. At a time when corporate values are playing such a public role in defining the organization, improving security by increasing employee-organization value congruence is both appealing and practical

Cyber Security Training in Small to Medium-sized Enterprises (SMEs): Exploring Organisation Culture and Employee Training Needs

Research shows that large businesses routinely provide cyber security training, to educate and train staff in readiness for a cyber threat. Contrary to this, small to medium enterprises (SMEs), are either unaware of risks and/or lack the financial resources for training and education. As a result, SMEs frequently fall victim to security breaches, and this can affect business reputation, access to private details, finance, and potential future business with clients. Although investments are sometimes made to train staff, there are still shortcomings with the design and delivery of cyber security training, that may impact learners' perceptions and attitudes towards learning. Rather than applying learning theories, adult learning principles, and fundamentals for developing business objectives, training approaches are typically technical and knowledge-based. Past research has primarily looked at this problem from a computing perspective, instead of a psychological lens, that explores the nature of human beings and what affects learning and transfer of knowledge in the workplace. The design of cyber training incorporates knowledge-based questions to address learning objectives, however, there is a lack of interrogation into the effectiveness of training, and this raises the question, how effective is cyber training? This thesis aims to evaluate learning theories and training evaluation methods by comparing them to the literature. The thesis will investigate the selection, development, and delivery of cyber security training and identify how, and if, these address employee training needs. The results will demonstrate the methods to derive cyber security training content compared to what the literature proposes, what training evaluation methods are used and how they address employees and the organisation’s needs. The thesis adopts a qualitative approach with one exception. Studies 1a and 1b are part of a larger project, study 1a collected quantitative data, through a knowledge survey, which provided background insight into participant knowledge. Study 1b involves a follow-up interview about the Study 1a survey. The interviews involved 14 SME business owners in Dorset and focused on perceptions, peer influence, and motivation. The results from Study 1b highlight that organisational culture influenced attitudes and perceptions from other colleagues and managers towards cyber security. The results showed that employees showed little to no attention to cyber security due to work priorities. Participants associated their poor learning and lack of behaviour change with limitations and style of the delivery and content of the training. The results acquired in Study 1b prompted reason to further investigate training development and organisational culture in a second study. The second study (Study 2) also adopted a qualitative approach and investigates the process of how cyber security training is selected, devised, and delivered to businesses. The interview participants are content developers, awareness professionals, and employees. In addition, one of the aims of Study 2 is to investigate how much employee training needs are evaluated in the process of training selection. There was a total of 27 interviews with content developers, employees, and awareness professionals. The results from Study 2 showed that employee training needs are not evaluated in the selection process. Employees discussed factors that influence their attitudes towards cyber security, such as internal and external motivation, training material and time constraints. The key conclusions from the studies demonstrate that content developers create arbitrary training because they neglect to investigate the needs of employees. In addition, awareness professionals neglect to support staff and outline training objectives, which leads to training that does not address employee challenges and, as a result, causes employees to feel disengaged, lose interest, and fail to apply what they have learned in training in the workplace. The findings from this research contribute to the cyber training and education community, as the thesis produced research-based guidance for developing training for SMEs. The current landscape fails to address security training from a psychological lens or established domains, like Education and Training. Key findings from this research demonstrate that consideration of employee training needs is vital for learning and transferring knowledge in the workplace

Designing and Aligning e−Science Security Culture with Design

The purpose of this paper is to identify the key cultural concepts affecting security in multi-organisational systems, and to align these with design techniques and tools. A grounded theory model of security culture was derived from the related security culture literature and empirical data from an e-Science project. Influencing concepts were derived from these, and aligned with recent work on techniques and tools for usable secure systems design. Roles and responsibility, sub-cultural norms and contexts, and different perceptions of requirements were found to be influencing concepts towards a culture of security. These concepts align with recent work on personas, environment models, and related tool support. This paper contributes a theoretically and empirically grounded model of security culture. This is also the first paper explicitly aligning key concepts of security culture to design techniques and tools

Designing and aligning e-science security culture with design.

The purpose of this paper is to identify the key cultural concepts affecting security in multi-organisational systems, and to align these with design techniques and tools. A grounded theory model of security culture was derived from the related security culture literature and empirical data from an e-Science project. Influencing concepts were derived from these, and aligned with recent work on techniques and tools for usable secure systems design. Roles and responsibility, sub-cultural norms and contexts, and different perceptions of requirements were found to be influencing concepts towards a culture of security. These concepts align with recent work on personas, environment models, and related tool support. This paper contributes a theoretically and empirically grounded model of security culture. This is also the first paper explicitly aligning key concepts of security culture to design techniques and tools